Privilege Escalation in AWS Advanced Go Wrapper for Amazon Aurora...

8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Description

An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, including rds_superuser, via a crafted function created by the actor that runs when that user connects to the cluster through the affected wrapper.

To remediate this issue, users should upgrade to the AWS Advanced Go Wrapper release 2026-05-26

Basic Information

ID CVE-2026-11401

Source AMZN

Published Jun 5, 2026 at 19:07

Modified Jun 5, 2026 at 19:23

Affected Product

Vendor AWS

Product AWS Advanced Go Wrapper

Version 2026-04-06

Affected Versions AWS AWS Advanced Go Wrapper 2026-04-06

CWE Classification

CWE-426

References

{
    "lastseen": "",
    "description": "An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, including rds_superuser, via a crafted function created by the actor that runs when that user connects to the cluster through the affected wrapper.\n\n\n\nTo remediate this issue, users should upgrade to the AWS Advanced Go Wrapper release 2026-05-26",
    "published": "2026-06-05T19:07:56.341Z",
    "modified": "2026-06-05T19:23:51.007Z",
    "type": "cve",
    "title": "Privilege Escalation in AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL",
    "source": "AMZN",
    "references": "https://github.com/aws/aws-advanced-go-wrapper/releases/tag/release-2026-05-26\nhttps://aws.amazon.com/security/security-bulletins/2026-039-aws/\nhttps://github.com/aws/aws-advanced-go-wrapper/security/advisories/GHSA-r236-5pc3-3qcp",
    "id": "CVE-2026-11401",
    "bulletinFamily": "",
    "cwe": [
        "CWE-426"
    ],
    "cvelist": null,
    "sourceData": "AWS AWS Advanced Go Wrapper 2026-04-06",
    "sourceHref": "",
    "cvss": {
        "score": 8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "AWS Advanced Go Wrapper",
    "version": "2026-04-06",
    "vendor": "AWS",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Privilege Escalation in AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL_CVE-2026-11401